RBN (Russian Business Network) via Real Host Ltd. is a fairly blatant cybercrime and bullet proof hosting hub. Inhabiting AS8206 Junik based in Riga, Latvia, and is high on any watch list. (ref1 & ref2)

As Dynamoo points out “A real sewer” (ref3), moreover this has all the hallmarks and operational elements of the apparently fragmented RBN, either as a resurgence or a clone of the RBN’s business model.

Fig 1 – Front page of installing cc – Zeus botnet rental & loading

Of more current interest, this is the base for distributing the new and as yet un-patched “Zero day Flash/PDF exploit” (ref 4), Zero day MS e.g. Directshow - MS09-028, and a core center for the Zeus botnet C&C (command and control) the # 1 botnet in the US with an estimated 3.6 million PCs infected.

Google’s Safe Browsing - shows for AS8206 Junik in the last 90 days; 12 sites providing malicious software for drive by downloads, 102 sites acting as intermediaries for the infection of 11,810 other web sites. Finally it found 161 websites hosting malware that infected 20,681 other web sites.

Google’s Safe Browsing - as an example for just one of the domains – 71.speed.info – 32 scripting exploits

The Results of Investigation and Reporting the Issues

Fig 3 – Real Host Routing – as of 073109

Fig 4 – Real Host Routing – as of 080309

Money Mule sites - the Barwells Group and NewskyAG reveals the following:

BarwellsGroup

"During the trial period (1 month), you will be paid 2,000 USD per month while working on average 3 hours per day, Monday-Friday, plus 5 commissions from every transactions or task received and processed. The salary will be sent in the form of wire transfer directly to your account. After the trial period your base pay salary will go up to 3,500USD per month, plus 5 commissions."

Clearly this is a money mule recruitment program. Sounds pretty good for 3 hours work per day!

NewskyAG

Not only does this domain operate a money mule scam, it also ran a Zeus C&C server. What is scary is that people actually fall prey to this scheme as shown by this quote from yahoo answers:

To start with the net block is leased from Junik by Alex Spiridonov, Abay Street 2a, Almaty, Kazakhstan. However, here are just a few other tell tale signs:

Many of the domains are ex-Estdomains.

All of the websites are in Russian or for the trading arm Russian / English.

Older entities which many had thought were dead and gone are here; Barwells Group, Newsky, Web-Alfa, and good old Botnet.Su

All of these were operational elements of RBN (Russian Business Network). So this may not be a reincarnation of the RBN but are clearly Russian organized cyber criminals, in the same vein and at least headed by someone from the old RBN school.

Further manual investigation led to the following information on domains supplied by Real Hosts:

IPDomainPurpose

213.182.197.229yourgoogleanalytics.usMoney Mule Recruiting

213.182.197.229barwellsgroup.cnMoney Mule Recruiting

213.182.197.249Vikd3jj-3.comMalware

213.182.197.2512k90.cnMalware

213.182.197.13Mac-videos.comMac Trojan

213.182.197.23671speed.infoBanking Trojan - Silent Banker

213.182.197.8bestxvids.infoZlob

213.182.197.249traffic-searches.cnBotnet C&C

213.182.197.2371gigabayt.comZeus C&C

213.182.197.14iframepartners.comiframe sellers

213.182.197.228Chlenopopik.comZeus C&C

213.182.197.14Megavipsite.cnMalware

213.182.197.20Traffcount.cnMalware

213.182.197.229Newskyag.comMoney Mule Recruiting & Zeus C&C

213.182.197.235Traffic-exchange.ruPart of iframe redirection service

213.182.197.10vlkontacte.ruRussian Social Network Phish

213.182.197.251Botnet.suZeus C&C

The Botnet.su & related installs.cc domains, the attackers clearly aren't trying to hide their motives on this one! This domain was previously used by the RBN along with NewskyAG and others. Zeus is of the most common threats being hosted from Real Host's network.

Blog Note;

All trademarks and copyrights on this blog are owned by their respective owners. Unless otherwise stated, opinions expressed here are entirely that of rbnexploit.blogspot.com. All analyses are for personal edification, educational, and research purposes only. Any DNS, IP address, domain, or AS # mentioned is derived from exhaustive research and cross correlation from 3rd parties. Any queries contact rbnexploit (at) gmail.com